Over the past few years the issue of cybersecurity and the threat of hackers stealing data has increased tenfold. Not a day goes by without a breach being reported of a retailer losing the credit card details, passwords or login information of thousands of customers. As these attacks become more sophisticated, so does the defence to prevent them – it’s no wonder hackers are looking for alternative ways and areas to exploit.
One industry that is increasingly coming under the microscope is utilities, a sector which is of importance to any country’s infrastructure. One recent example can be seen in Ukraine where cyber criminals managed to hack an electricity generating plant.
When it comes to attacking utilities, hackers usually do this for a couple of reasons. Sometimes it is just to harm a nation’s security interests. Hackers are, in effect, state actors, being paid to compromise critical infrastructure. War is being taken online and just as much damage can be done to an enemy by taking out their critical infrastructure, as through traditional weapons.
However, while external threats are of increasing concern, the biggest threat at the moment remains from insiders. It has been reported that around 60% of attacks are from insiders, such as a disgruntled employee with a grudge against the company.
Reactive over proactive
Given the vast importance of an organisation’s infrastructure, shouldn’t utilities be one of the hardest industries to breach?
Like any industry, utility companies have to make money and the management teams are generally focused on how to drive revenue and less emphasis is put on an investment in cybersecurity. In fact, many companies take a reactive stance on the issue, investing after an incident occurs and money is spent only when needed and absolutely required.
One of the biggest issues the industry faces is that a lot of the systems being used were never designed to be Internet-connected, particularly in the UK with nuclear power plants having been built over 40 years ago. Security was not built in from the start, which is why so many systems are highly vulnerable.
Protection against the threats
So, the question remains, how can utility companies protect themselves, both from an internal and external threat? Below are three must do actions for utility companies to protect themselves against becoming the next high profile company dominating the headlines for the wrong reasons.
1. Perform your own risk analysis – The first step is awareness of the risks and threats that can occur. Senior management need to have a good feel of what might happen if an area is breached, where their most critical data and systems are and what protection systems they have in place now. To address these challenges, companies should perform risk analysis and both technical and organisational recommendations should be made. The risk analysis is necessary to understand which sections of the infrastructure need protecting in order to allocate resources properly.
2. Adopt an intelligence driven approach – To reduce the threat of intruders, utility companies should adopt an intelligence driven approach that will detect and resist hackers. Companies going through major transformation programmes also need to be aware of the risks and the impending threats, as this is when many can be at their most vulnerable.
3. Separate operational from corporate networks and limit access – Lastly, utility companies should look to separate their operational and corporate areas of IT. This is so that an attacker who succeeds in accessing the less secure corporate systems is not able to do real physical harm by accessing the operational systems. It is also important to ensure that the right access control procedures are put in place to ensure systems are being accessed by those who are authorised to do so – stopping disgruntled employees from accessing sensitive information. This applies to normal and privileged users.
Hackers are increasingly on the lookout for a chance to exploit organisations for personal financial gain. But with utilities, the risk is not the loss of some credit card details, but an essential service an entire nation depends upon.
With the utilities sector being brought into the digital age at a rapid rate, security must remain at the heart of this transformation or the consequences could be catastrophic.